Welcome to the ExpressVPN
Privacy Research Lab

Not all VPNs are made equal, particularly when it comes to privacy and
security. While using a VPN is often as simple as tapping a button,
there’s a lot of work needed behind the scenes to ensure your connection
protects you online. A great VPN is constantly investigating threats
to its users’ privacy and security and improving its service to
protect them.

Our mission at ExpressVPN’s Privacy Research Lab is to bring that level
of scrutiny to every piece of software we ship to customers. We have
engineers working daily to investigate a range of scenarios that could
impact user privacy and security.

To help you better understand the privacy and security advances the
Lab is making, as well as help the VPN industry as a whole improve on
these fronts, we’ve developed a library of
case studies
for the types of potential leaks that ExpressVPN’s research has
identified and protected users from, as well as directions and
Leak Testing Tools
that enable customers and third parties to verify our own or other VPN
providers’ claims independently. The tools are open-source, maintained
by ExpressVPN, and open for anyone to use and contribute to.

Leaks and leakproofing:
What makes for a good, secure VPN?

Let’s start with the basics. To protect your privacy and security, a
VPN should, among other things:

hide your
browsing activity
and
app data
from your ISP,

hide your
IP addresses
from the websites and apps that you use,

ensure all
DNS requests
are encrypted and only sent to the VPN provider’s DNS servers, and

ensure all your network traffic is
encrypted
to prevent hackers or other third parties from viewing its contents.

Ideally, a VPN should do all of these things consistently from the
instant you turn it on up until the moment you choose to turn
it off, whether that’s for a few minutes, several hours, or even days
at a time.

In reality, however, not all VPNs are able to accomplish this. There
are some scenarios—such as when your device unexpectedly disconnects
from the VPN server—where your private information might be exposed,
if only for a moment. We call this a
leak.

One way to measure the quality of a VPN is by counting these leaks
across all possible scenarios where a VPN might leak.
The best VPN is the one with the fewest leaks.

Case studies:
What are some scenarios where a VPN might leak?

Here’s a quick overview of some situations where your personal
information could become vulnerable even while using a VPN:

ExpressVPN takes great care to prevent leaks in all of these scenarios
and more. But how can we be sure? More importantly, how can you be sure?

The case studies below provide in-depth investigations into each
scenario, explaining how they could impact your privacy and security,
as well as outlining how you can use the ExpressVPN Leak Testing Tools
to evaluate your VPN’s effectiveness.

Tools:
How do you test a VPN for leaks?

ExpressVPN Leak Testing Tools:

Rigorous, regular testing is key to ensuring a VPN service protects
against leaks. As part of our investment into user privacy and security,
ExpressVPN has developed an extensible suite of leak testing tools
designed for both manual and automated regression testing.

While these tools were built to be used internally, we came to
recognize they could be beneficial to improving privacy and security
across the VPN industry as a whole. We have thus open-sourced them,
enabling anyone to assess their risk of leaks and evaluate VPNs, as
well as help the entire VPN industry raise its privacy and security
standards.

These tools currently test for a number of different types of leaks,
including:

IP address leaks

IP traffic leaks

DNS leaks

WebRTC leaks

Bittorrent leaks

Leaks resulting from unstable network connections

Leaks resulting from VPN servers being unreachable

ExpressVPN will continue to evolve these tools and release new ones in
the future.

Online leak tests:

Getting involved:

We welcome researchers, academics, developers, and others to join us
in our effort to improve privacy and security standards in the VPN
industry. If you’d like to help improve and expand the leak testing
tools, we'll be accepting contributions in the usual fashion via
GitHub.
If you’re interested in leakproofing and privacy and would like a more
involved role, either as a collaborator or part- or full-time team member,
please drop us a line at
leakproofing@expressvpn.com
and let us know.